摘要:
http://hongbin7698.blog.163.com/blog/static/595915952010112192949482/刚刚解决了EPROCESS、ETHREAD的硬编码查询问题,又遭遇了系统服务号的硬编码。刚找到方法如下。===环境:win7+windbg+livekd===0: kd> u ZwCreateProcessExnt!ZwCreateProcessEx:8427eff4 b850000000 mov eax,50h <---------注意啦,这个就是系统服务号的硬编码。8427eff9 8d542404 lea edx,[esp+4]8427ef 阅读全文
